safedep 0.1.1

Protect your dependencies from supply chain attacks.

🛡️ SafeDep: Your Dependency Guardian

SafeDep is an open-source tool designed to protect developers from Supply Chain Attacks. It analyzes packages and dependencies for malicious behavior, data exfiltration, and hidden vulnerabilities before you even install them.

"Don't just scan for known vulnerabilities. Detect suspicious behavior."

---

✨ Why SafeDep?

The package ecosystem (PyPI, NPM, Cargo) is under constant attack from Typosquatting, Dependency Injection, and Trojan Horses. SafeDep goes beyond standard vulnerability databases (CVEs) by analyzing both the static and dynamic behavior of the code.

Key Features

• 🔍 Pre-install Sandbox: Runs installation scripts in an isolated environment to monitor what they attempt to access.
• 📡 Network Monitor: Alerts you if a "text processing" package tries to make requests to unknown IP addresses.
• 🔑 Secret Leak Detection: Identifies if a package attempts to read your environment variables (.env) or API keys.
• 🏷️ Typosquatting Protection: Checks if a package name is dangerously similar to a popular one.

---

🛠️ Getting Started

To use SafeDep locally, clone the repository and install it in editable mode:

# create a virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Install SafeDep in editable mode (so code changes are reflected immediately)
pip install -e .

Sandbox Requirements

For behavioral analysis, Docker or Podman must be installed and running.

# Check if docker is available
docker --version

🚀 How to Use (CLI)

SafeDep provides several commands:

1. Check a package before installing

Analyzes a package (remote) for typosquatting and reputation risks.

Python (default):

safedep check <package_name>

Python Typosquatting Example:

# Detects similarity to 'requests'
safedep check requesst

NPM:

safedep check <package_name> --ecosystem npm

Cargo (Rust):

safedep check <package_name> --ecosystem cargo

2. Scan a local directory

Scans local files (Python, JS, TS, NPM, Cargo) for dangerous code patterns or suspicious dependencies (in requirements.txt, package.json, Cargo.toml).

SafeDep automatically excludes common dependency and internal directories like venv, node_modules, and .git to focus on your project's source code.

safedep scan <path_to_directory>

3. Behavioral Analysis (Sandbox)

Runs a package installation in a Docker container and monitors for suspicious system calls.

Python:

safedep check <package_name> --sandbox

NPM:

safedep check <package_name> --ecosystem npm --sandbox

Cargo:

safedep check <package_name> --ecosystem cargo --sandbox

---

🗺️ Development Roadmap

Phase 1: Foundation (MVP) - "The Scanner" ✅ (Implemented)

• ✅ Implementation of name similarity analysis (Anti-Typosquatting).
• ✅ Reputation verification (package creation date, author history).
• ✅ Static code scanner for dangerous functions.

Phase 2: Intelligence (Beta) - "The Behavioralist" 🧠 ✅ (Implemented)

• ✅ Sandboxing: Integration with Docker/Podman to run setup.py and monitor system calls (syscalls).
• ✅ Multi-language Support: Support for NPM (Node.js) and Cargo (Rust) in addition to Python.
• ✅ CI/CD Integration: GitHub Actions to block PRs with suspicious dependencies.

Phase 3: Community and Sustainability - "The Shield" 🛡️

SafeDep Hub: A community-driven database of "audited and clean" packages. Security Badges: A system for repositories to display security trust seals. Sponsorship Program: Launching the Sponsors program to maintain the heavy analysis infrastructure.

---

🤝 Contribute & Sponsor

This project is 100% free and community-focused. If you believe in a safer software ecosystem, consider becoming a contributor or sponsor. Give a ⭐ on GitHub Report Bugs Become a Sponsor: GitHub Sponsors / OpenCollective Developed for those who prioritize security.